Technical Tip: Setting up default NAC Policy for Unmatched/unknown Devices

The following configuration makes it possible to map a specific VLAN other than the onboarding VLAN for devices that are not matched by any configured NAC policies.

1. Create a VLAN for Unmatched Devices.

Begin by creating a new VLAN on the FortiSwitch. This VLAN will be used specifically for assigning devices that are not matched by any preconfigured NAC policies.

2. Configure a nac-policy on FortiGate.

Using the FortiGate GUI, set up a nac-policy with a wildcard mac-address (**:**:**:**:**:**) and assign the newly created VLAN to it.

Note: Over the FortiGate GUI, the mac-policy will be created by default when creating a nac-policy.

When creating a nac-policy using the CLI commands, configure a mac-policy as follows prior to configuring the nac-policy:

On the FortiGate CLI:

config switch-controller mac-policy
    edit "Catch-all"
        set description ''
        set fortilink <FortiLink_interface_name>
        set vlan <vlan_name>
        set bounce-port-link enable
    next
end

Create a nac-policy that uses the wildcard mac-address to match all remaining devices and associates them with the previously configured mac-policy:

On the FortiGate CLI:

config user nac-policy
    edit "Catch-all"
        set mac "**:**:**:**:**:**"
        set switch-fortilink <FortiLink_interface_name>
        set switch-mac-policy "Catch-all"
    next
end

This configuration ensures that any device not matching existing NAC policies is automatically mapped to the specified VLAN.